[Security Weekly] UCSF Pays $1.14 Million in Ransom Following NetWalker Ransomware Attack

1st Week of July 2020


1. UCSF pays $1.14 million in ransom following NetWalker ransomware attack

After weeks of negotiations, the University of California, San Francisco (UCSF) ended up paying $1.14 million in ransom to the threat actors behind the NetWalker ransomware.

Back on June 1, UCSF discovered a cyberattack incident that affected some of its School of Medicine servers. The university managed to prevent the attack from spreading further by separating those affected IT systems immediately. Unfortunately, many databases stored in the affected servers were encrypted by the attackers. 

Widely regarded as the world’s best medical research university, UCSF is a postgraduate-only institution under the University of California university system, dedicated entirely to studies in health science.

According to UCSF, the attack did not affect its university hospitals and COVID-19 research labs. However, the compromised databases contained some priceless academic research work that “serves the public good”, forcing the university to pay a high price to regain access to them.

Research facilities and universities are relatively decentralized and democratic compared to enterprises, making them attractive targets for ransomware groups.

Click here to learn how to effectively defend against a double extortion ransomware attack.

Sources: SC MediaInfosecurity


2. Websites of eight US cities attacked by Magecart-style skimmers

Security researchers recently discovered a series of Magecart1 attacks on the websites of eight US municipalities spanning three states, all of which use the Click2Gov payment software.

Click2Gov is a web application that allows users to pay for municipal services and fines such as utility bills and parking tickets with their credit cards. It appears that the Magecart skimmers only targeted the Click2Gov application.

The attackers injected malicious JavaScript codes into the payment application and planted a credit card skimmer in the payment form. When a user clicks the “submit” button after filling out their name, billing address, credit card number, expiration date, and CVV2, this information would be extracted and sent to a remote server controlled by the attackers.

The researchers did not disclose which cities were affected. It also remains unclear whether the skimmers were successfully removed.

Source: Threatpost

1 Magecart is a general term describing attacks that plant skimmers on web applications to steal financial information.


3. LG Electronics and Xerox allegedly hit by Maze ransomware

In late June, threat actors from the Maze ransomware group publicly claimed to have breached both IT giant LG Electronics and business solutions provider Xerox.

Both companies were added on the Maze ransomware group’s website as newly confirmed victims. As is always the case with Maze ransomware, the attackers did not release the details of how the intrusion was done, but instead posted screenshots to prove their act.

In the case of LG Electronics, the attackers claimed to have stolen secretive information on development projects involving other large corporations. The attackers posted a screenshot of a Python code repository, showing that 40GB worth of source codes were compromised.

Soon after, Xerox was added to the list of victims. The attackers claimed to have completed their encryption work on June 25, and uploaded screenshots showing directory listings. A total of 100GB of files were allegedly compromised, of which the attackers threatened to disclose if an agreement on ransom payment cannot be reached.

Both LG Electronics and Xerox have not yet confirmed or denied the claim.

Sources: Bleeping ComputerBleeping Computer


4. Hacker group KelvinSecurity breaches Frost & Sullivan and BMW databases

Frost & Sullivan, a Californian consulting firm that offers strategic management and market analysis services for businesses across the globe, suffered a data breach in late June where personal information of employees and customers were posted for sale on the dark web.

The threat actor behind the breach is Russian-based hacker group KelvinSecurity. According to Bleeping Computer, KelvinSecurity discovered an unsecured backup database sitting in one of Frost & Sullivan’s public servers. The hackers initially tried to contact Frost & Sullivan about the flaw but received no response, after which they decided to sell them online.

Posted data involve the full names, login credentials, and email addresses of over 6,000 customers and 6,146 employees.

Soon after the Frost & Sullivan incident, KelvinSecurity posted another database consisting of 384,319 BMW owners in the UK. The hackers apparently targeted the IT system of a BMW call center, breaching personal information such as names, addresses, vehicle identification numbers, and dealer names.

Sources: Bleeping ComputerSC Media


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt